Does anyone have examples of how to use Splunk to detect malware infections across multiple hosts?
Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.
How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.
Data check: This use case requires Symantec AV data.
Find hosts that logged into multiple, different, and infected endpoints in a short period of time.
Use the following search:
index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=*
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=*
becomes index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: Use your malware response procedure.
This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.
This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.
Multiple, simultaneous viruses are a concern because they can indicate an exploit kit that tries several techniques where some succeed on a single host with multiple unrelated viruses. Prioritize these hosts and investigate them immediately to ensure nothing is missed.
This use case is from the Splunk Security Essentials app. For more examples, see the Splunk Security Essentials app on Splunkbase.
How to implement: With Symantec logs onboard, these searches should work easily. If you have a different anti-virus product, adapt the searches to the field names and source types for that product. Search on Splunkbase for a Splunk add-on that maps field names and source types to the Common Information Model.
Data check: This use case requires Symantec AV data.
Find hosts that logged into multiple, different, and infected endpoints in a short period of time.
Use the following search:
index=* tag=malware tag=attack
| transaction maxpause=1h dest
| where eventcount>=3 AND duration>240
| table Occurrences, signature, Requested_Action, Actual_Action, Secondary_Action, ApplicationHash, HashType, dest, src, user, Confidence, Disposition, file_path, Prevalence, _time
Best practice: In searches, replace the asterisk in index=*
with the name of the index that contains the data. By default, Splunk stores data in the main
index. Therefore, index=*
becomes index=main
. Use the OR
operator to specify one or multiple indexes to search. For example, index=main OR index=security
. See About managing indexes and How indexing works in Splunk docs for details.
How to respond: Use your malware response procedure.
This search works with Symantec logs onboard. However, you can adapt it to work with a different anti-virus product by updating the field names and source types for that product. Search Splunkbase to find a Splunk Add-on that maps your product to the Common Information Model.
This search is for Symantec AV data. However, you can adapt it to work with other anit-virus products.
If no results appear, deploy the Add-ons to the search heads to access the knowledge objects necessary for simple searching. See About installing Splunk add-ons on Splunk Docs for assistance.
For more support, post a question to the Splunk Answers community.